Efficient and secure distributed signing protocol for mobile devices in wireless networks

ABSTRACT

The techniques described herein may provide an efficient and secure two-party distributed signing protocol for the identity-based signature scheme described in the IEEE P1363 standard. For example, in an embodiment, a method may comprise generating a distributed cryptographic key at a key generation center and a first other device and a second other device and generating a distributed cryptographic signature at the first other device using the second other device.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No.62/693,585, filed Jul. 3, 2018, the contents of which are herebyincorporated by reference herein in their entirety.

BACKGROUND OF THE INVENTION

The present invention relates to an efficient and secure two-partydistributed signing protocol for the identity-based signature schemedescribed in the IEEE P1363 standard.

Rapid advances in wireless communications, hardware/software andInternet technologies have led to an exponential growth in the number ofusers accessing the Internet using mobile, wearable or other Internet ofThings (IoT) devices. Identity-based signature schemes have been widelyapplied to enforce user authorization and validate user messages inmobile wireless networks. Unfortunately, the user's private key used togenerate signatures is prone to leakage because the key is being storedon the mobile device. Several (t; n) threshold secret sharing schemeshave been proposed to address the issue. However, the private keys inmost of those schemes have to be recovered on a single device whengenerating signatures so that the user who holds the device can sign anymessage without the participation of other users.

The IEEE P1363 project is well-known for issuing standard specificationsfor public-key cryptography through a series of IEEE standardsdocuments. The IEEE Standard 1363-2000 consists of the followingparts: 1) Traditional public-key cryptography (1363-2000 & 1363a-2004);2) Lattice-based public-key cryptography (P1363.1); 3) Password-basedpublic key cryptography (P1363.2); and 4) Identity-based public keycryptography using pairings (P1363.3). The BLMQ signature scheme is theidentity-based signature scheme in the IEEE P1363 standard, and has beenwidely used in many practical applications. However, the BLMQ signaturescheme does not provide an efficient and secure two-party distributedsigning protocol.

Accordingly, a need arises for techniques that provide efficient andsecure two-party distributed signing protocol for the identity-basedsignature scheme described in the IEEE P1363 standard.

SUMMARY OF THE INVENTION

The techniques described herein may provide an efficient and securetwo-party distributed signing protocol for the identity-based signaturescheme described in the IEEE P1363 standard.

For example, in an embodiment, a method may comprise generating adistributed cryptographic key at a key generation center and a firstother device and a second other device and generating a distributedcryptographic signature at the first other device using the second otherdevice.

In embodiments, generating the distributed cryptographic key maycomprise generating, at the key generation center, a user ID private keybased on a user ID, and a Pallier key pair comprising a public key and aprivate key, transmitting the user ID private key, the Pallier publickey, and the Pallier secret key from the key generation center to thefirst other device, and transmitting the user ID private key and thePallier public key from the key generation center to a second otherdevice. Generating a distributed cryptographic signature may comprisetransmitting a message from the first other device to a zero knowledgefunctionality, the message comprising a request for proof that thesecond other device possesses the the user ID private key and inresponse to receiving the message from the first other device,transmitting a message from the zero knowledge functionality comprisingproof that the first other device possesses the user ID private key.Generating a distributed cryptographic signature may further comprise inresponse to receiving the message from the zero knowledge functionality,transmitting a message from the second other device to the zeroknowledge functionality comprising a request for proof of a relation andin response to receiving the message from the second other device,transmitting a message from the zero knowledge functionality comprisingproof that the second other device possesses the relation. Gnerating adistributed cryptographic signature may further comprise in response toreceiving the message from the zero knowledge functionality,transmitting a message from the second other device to the first otherdevice comprising a challenge based on the relation and in response toreceiving the message from the zero knowledge functionality and themessage from the second other device, computing, at the first otherdevice, a signature based on the user ID private key and on thechallenge.

In an embodiment, a system may comprise a key generation center adaptedto generate a distributed cryptographic key in communication with afirst other device, the first other device adapted to generate adistributed cryptographic signature in communication with key generationcenter and using a second other device, and the second other deviceadapted to to generate the distributed cryptographic signature incommunication with the first other device.

A computer program product comprising a non-transitory computer readablestorage having program instructions embodied therewith, the programinstructions executable by at least one computer system, to cause eachcomputer system to perform a method comprising: generating a distributedcryptographic key at a key generation center and a first other deviceand a second other device and generating a distributed cryptographicsignature at the first other device using the second other device.

BRIEF DESCRIPTION OF THE DRAWINGS

So that the manner in which the above recited features of the presentinvention can be understood in detail, a more particular description ofthe invention, briefly summarized above, may be had by reference toembodiments, some of which are illustrated in the appended drawings. Itis to be noted, however, that the appended drawings illustrate onlytypical embodiments of this invention and the invention may admit toother equally effective embodiments.

FIG. 1 illustrates an example of a typical identity-based signaturearchitecture for the wireless environment.

FIG. 2 illustrates an exemplary flow diagram of the BLMQ signaturescheme.

FIG. 3 illustrates an example of the Paillier cryptosystem.

FIG. 4 illustrates an exemplary data flow diagram of distributed keygeneration in accordance with embodiments of the present systems andmethods.

FIG. 5 illustrates an exemplary exemplary flow diagram of Phase 1 inaccordance with embodiments of the present systems and methods.

FIG. 6 illustrates an exemplary data flow diagram of distributedsignature generation in accordance with embodiments of the presentsystems and methods.

FIG. 7 illustrates an exemplary flow diagram of Phase 2 in accordancewith embodiments of the present systems and methods.

FIG. 8 illustrates an example of a system in which embodiments of thepresent systems and methods may be implemented.

FIG. 9 illustrates an example of results of an experiment to determineperformance of the BLMQ signature scheme.

FIG. 10 illustrates an example of results of an experiment to determineperformance of the distributed key generation in accordance withembodiments of the present systems and methods.

FIG. 11 illustrates an example of results of an experiment to determinecomputation costs of the distributed signature generation in accordancewith embodiments of the present systems and methods.

FIG. 12 illustrates an example of a computing device in whichembodiments of the present systems and methods may be implemented.

Other features of the present embodiments will be apparent from theDetailed Description that follows.

DETAILED DESCRIPTION OF THE EMBODIMENTS

In the following detailed description of the preferred embodiments,reference is made to the accompanying drawings, which form a parthereof, and within which are shown by way of illustration specificembodiments by which the invention may be practiced. It is to beunderstood that other embodiments may be utilized and structural changesmay be made without departing from the scope of the invention.Electrical, mechanical, logical, and structural changes may be made tothe embodiments without departing from the spirit and scope of thepresent teachings. The following detailed description is therefore notto be taken in a limiting sense, and the scope of the present disclosureis defined by the appended claims and their equivalents.

Technologies such as smart mobile devices and Internet of Things (IoT)devices have dramatically changed how we communicate (wired orwirelessly) in today's increasingly interconnected society. The numberof smartphone users in the United States is in the hundreds of millions,with the number of smartphone users worldwide in the billions. Ensuringwired network security is generally easier compared to wireless networksecurity. Additional challenges exist with wireless networks becausemobile wireless devices tend to be lightweight or have limitedcommunication and storage capabilities (for example, wirelesspacemakers, and smart military uniforms). In e-commerce, such asBusiness to Business (B2B) and Business to Customer (B2C), wirelesscommunications may also be subject to more sophisticated attacks.

Identity-based cryptography is an identity-based signature schemewherein the user's public key can be obtained from user's ID or emailaddress. Many identity based signature schemes have been proposed.Identity-based signature schemes have been used in many practicalapplications. FIG. 1 shows a typical identity-based signaturearchitecture 100 for the wireless environment wherein the user's privatekey 102 must be used when signing. Also shown in FIG. 1, are keygeneration center (KGC) 104 and the user's identity (ID) 106.

Thus, it is important to be able to authenticate a user and the message.To authenticate an individual, we generally rely on the user “proving”the ownership of the corresponding private signing key by some means.Such private keys are normally stored on the mobile device or smartcard, which may be remotely compromised if physically acquired by anattacker.

One common approach is through the use of a (t, n)—threshold secretsharing scheme, which extends the secret sharing. Threshold secretsharing schemes have been used in many applications. In the (t,n)—threshold secret sharing scheme, a private key is shared among nparties. Any information about the private key cannot be obtained fromt−1 or fewer shares, and with a subset of t or more shares, the wholeprivate key can be recovered. Thus, threshold cryptography provides ahigh of level security for the private key because by corrupting lessthan t−1 parties or devices, the adversary will obtain nothing about thesecret.

However, the (t, n)—threshold secret sharing scheme has a limitation.Specifically, any party who holds the recovered private key can sign anydocument without the participation of other parties. Moreover, therecovered private key is normally stored in a mobile device, which canbe compromised. Several two-party protocols have also been designed tomitigate such a reconstruction limitation. Compared with theconventional secret sharing scheme, in a two-party protocol, two partiesinteract with each other and output a signature without recovering theprivate key.

The BLMQ signature scheme is the identity-based signature scheme in theIEEE P1363 standard, and has been widely used in many practicalapplications. In embodiments, the present systems and method may providean efficient and secure two-party distributed signing protocol for theidentity-based signature scheme described in the IEEE P1363 standard.

In embodiments, the present systems and method may provide a two-partydistributed signing protocol for an identity-based signature scheme.Embodiments may include protocols that provide improved security,efficiency, and practicality in a wireless environment. Embodiments mayinclude a novel two-party distributed signing protocol, which is a fastthreshold cryptography protocol for an identity-based signature scheme.In embodiments, the protocol can generate a valid signature withoutrecovering the private key. Further, a valid signature cannot begenerated if one of the participants is not involved. Security analysisof embodiments of the protocol shows that the protocol can satisfysecurity requirements. Moreover, such security may be proven under thenon-standard assumption, and satisfy the zero-knowledge proof analysis.

Preliminaries. Notations. Let D denote a random distribution or set, andxrD denote that x is selected from D randomly. The security parameter isn, and a function μ(n) is negligible, if for any polynomial p,μ(n)=O(1/p(n)). P.P.T denotes a probabilistic-polynomial time algorithm,and KGC denotes a trusted Key Generation Center (KGC). H₁ and H₂ are twosecure hash functions, such that H₁: {0,1}*→Z_(q), and H₂: {0,1}*→Z_(q).

Bilinear pairing let G₁ and G₂ be two cyclic additive groups, G₃ be amultiplicative group, and e:G₁×G₂→G₃ denotes a bilinear map satisfiesthe following properties:

-   -   1. For a₁,a₂∈G₁ and b₁,b₂ ∈G₂, e(a₁+a₂,b₁)=e(a₁,b₁)e(a₂,b₁) and        e(a₁,b₁+b₂)=e(a₁,b₁)e(a₁,b₂).    -   2. For all 0≠a∈G₁, there exists b∈G₂ such that e(a,b)≠1.    -   3. For all 0≠b∈G₂, there exists a∈G₁ such that e(a,b)≠1.

BLMQ signature scheme. An exemplary flow diagram of the BLMQ signaturescheme 200 is shown in FIG. 2. BLMQ signature scheme 200 includes thefollowing four processes. Setup process 202, given a security parametern, KGC produces the system parameters params. Setup process 202 beginsat 204, in which the process chooses G₁,G₂,G₃ and a pairing e:G₁×G₂→G₃.At 206, the process picks a random generator Q₂ of G₂, and calculatesQ₁=ϕ(Q₂)∈G₁. At 208, the process generates a random number s∈Z_(p) asthe master secret key, and calculates R=sQ₂ and g=e(Q₁,Q₂). At 210, theprocess sets the system parameters params=(R,g,Q₁,Q₂,G₁,G₂,G₃,e) asavailable.

Extract process 212, given a user's identity ID, KGC produces the user'sprivate key. Extract process 212 begins at 214, in which the processcomputes the identity element h_(ID)=H₁(ID) in Z_(p). At 216, theprocess outputs K_(ID)=(h_(ID)+s)⁻¹Q₁.

In sign process 218, given a message m, the user with the identity IDgenerates the signature σ. Sign process 218 begins at 220, in which theprocess computes u=g^(r), where r is a random integer. At 222, theprocess computes h=H₂(m,u) and S=(r+h)K_(ID). At 224, the processoutputs σ=(h,S).

In verify process 226, given the signature σ=(h,S), the identity ID andthe message m, the verifier verifies the validation of the signature.Verify process 226 begins at 228, in which the process computesh_(ID)=H₁(ID). At 230, the process computes

$u = {\frac{e\left( {S,{{h_{ID}Q_{2}} + R}} \right)}{{e\left( {Q_{1},Q_{2}} \right)}^{h}}.}$

At 232, if h=H₂(m,u), then the process outputs 1, otherwise the processoutputs 0.

Zero-Knowledge Proof. The ideal zero knowledge functionality is

_(zk), and the standard ideal zero-knowledge functionality is defined by((x,w), λ)→(λ,(x,R(x,w))), where λ denotes the empty string.

Definition 1: The zero-knowledge functionality

_(zk) ^(R) for relation R: Upon receiving (prove,sid,x,w) from P_(i)(i∈{1,2}): if (x,w) ∉R or sid has been previously used, then ignore themessage. Otherwise, send (proof,sid,x) to P_(3-i). The non-interactivezero-knowledge proof of knowledge satisfying

_(zk) can be achieved in random oracle model.

Paillier Encryption. In embodiments, the Paillier cryptosystem may beused for encryption. An example of the Paillier cryptosystem 300 isshown in FIG. 3. Paillier cryptosystem 300 includes the following threeprocesses. Key Generation process 302 begins with 304, in which theprocess choose twos equivalent length large prime numbers p and qrandomly. At 306, the process computes g=n+1, λ=ϕ(n) and μ=(ϕ(n))⁻¹n,where ϕ(n)=(p−1)(q−1). At 308, the process output the public key, whichis pk=(n,g), and the private key, which is sk=(λ,μ).

Encryption process 310 begins with 312, in which the process selects arandom number r where r∈Z*_(n). At 314, the process computes ciphertextc=Enc_(pk)(m)=g^(m)·r^(n) mod n², where 0≤m<n.

Decryption process 316 includes 318, in which the process decrypts theciphertext as m=Dec_(sk)(c)=L(c^(λ)n²)·μ mod n, where

${L(x)} = {\frac{x - 1}{n}.}$

In embodiments, Enc_(pk)(·) denotes the encrypt operation using publickey pk, Dec_(sk)(·) denotes the decrypt operation using private key sk.In the Paillier cryptosystem, there is a notable feature which is itshomomorphic properties:

-   -   1. Dec_(sk)(Enc_(pk)(m₁)·Enc_(pk)(m₂))=m₁+m₂.    -   2. Dec_(sk)(Enc_(pk)(m₁)^(m) ² )=m₁m₂.        Let c₁=Enc_(pk)(m₁), c₂=Enc_(pk)(m₂), then        c₁⊕c₂=Enc_(pk)(m₁+m₂), m₂⊗c₁=Enc_(p,)(m₁)^(m) ² .

Two-Party Distributed Signing Protocol. In embodiments, the presentsystems and methods may provide a two-party distributed signing protocolfor the identity-based signature scheme described in IEEE P1363. The twokey phases are the distributed key generation phase and the distributedsignature generation phase.

Distributed Key Generation. In the distributed key generation phase, themain algorithms are processed by KGC 104, shown in FIG. 1. An exemplarydata flow diagram of distributed key generation 400 is shown in FIG. 4.It is best viewed in conjunction with FIG. 5, which is an exemplary flowdiagram of Phase 1 500. As shown in FIG. 4, KGC 104 distributes theprivate key K_(ID) into two parts.

Phase 1: Distributed Key Generation 500 begins with 502, in which KGC104 computes the user ID's 402 identity element h_(ID)=H₁(ID). At 504,404, KGC 104 selects an integer t₁, and computes t₂=t₁ ⁻¹·(h_(ID)+s)⁻¹406. At 506, 408, KGC 104 sets K_(ID) ⁽¹⁾=t₁Q₁, and K_(ID) ⁽²⁾=t₂. At508, 410, KGC generates a Paillier key-pair (pk,sk) for P₁. At 510, KGC104 sends (K_(ID) ⁽¹⁾,pk,sk) 412 to P₁ 414, and sends (K_(ID) ⁽²⁾,pk)416 to P₂ 418. At 512, P₁ 414 stores (ID,K_(ID) ⁽¹⁾,pk,sk) 420 and thepublic parameter P, and P₂ 418 stores (ID,K_(ID) ⁽²⁾,pk) 422 and thepublic parameter params 424. It is worth noting that we can check theequation K_(ID) ⁽¹⁾·K_(ID) ⁽²⁾=(h_(ID)+s)⁻¹Q₁.

Distributed Signature Generation. In the distributed signaturegeneration phase, P₁ and P₂ select r₁ and r₂ respectively, where r₁r₂=r,and u=g^(r) ₁g^(r) ₂. P₁ encrypts r₁ under pk (i.e. C₁=Enc(r₁)),computes R₁=g^(r) ¹ , and sends R₁,C₁ to P₂. After P₂ receives R₁,C₁, itis trivial for P₂ to compute a ciphertext of S″=(r₁r₂+h)·K_(ID) ⁽²⁾under P₁'s public key. In order to prevent revealing any information toP₁, P₂ chooses a random integer

${\rho \overset{\mspace{25mu} r\mspace{20mu}}{\leftarrow}Z_{q}},$

and computes the encryption of S″=(r₁r₂+h+ρ·q)·K_(ID) ⁽²⁾. Then, P₁ cancompute S′=S″·t₁, and finally computes the signature S=S′·Q₁.

To verify that the messages that P₁ communicated with P₂ are correct, weuse the zero-knowledge proof. An exemplary data flow diagram ofdistributed signature generation 600 is shown in FIG. 6. It is bestviewed in conjunction with FIG. 7, which is an exemplary flow diagram ofPhase 2 700.

Phase 2: Distributed Signature Generation 700 begins with 704, in whichP₁'s 602 first message is generated by, at 706, P₁ 602 chooses

${r_{1}\overset{\mspace{25mu} r\mspace{14mu}}{\leftarrow}Z_{q}},$

and computes R₁=g^(r) ¹ 604. At 708, P₁ 602 computes C₁=Enc_(pk)(r₁)606. At 708, P₁ 602 generates 608 and sends (prove,1,(R₁,C₁),(r₁,sk))610 to

_(zk) ^(R) ^(PDL) .

At 712, P₂'s 612 first message is generated by, at 714, P₂ 612 receives(proof,1,(R₁,C₁)) 610 from

_(zk) ^(R) ^(PDL) , if not, it aborts. At 716, P₂ 612 verifies π₁ 604,chooses

${r_{2}\overset{r}{\leftarrow}Z_{q}},$

and computes R₂=g^(r) ₂ 612. At 718, P₂ 612 generates 614 and sends(prove,2,R₂,r₂) 620 to

_(zk) ^(R) ^(DL) . At 720, P₂ 612 computes u=R₁ ^(r) ² , h=H₂(m,u) 616.At 722, P₂ 612 chooses

$\rho \overset{\mspace{25mu} r\mspace{20mu}}{\leftarrow}Z_{q}$

and computes C₂=K_(ID) ⁽²⁾⊗(r₂⊗C₁⊗Enc_(pk)(ρ·q+h)) 618. At 724, P₂ 612sends C₂ 620 to P₁ 602.

At 726, P₁ 602 generates the output by, at 728, P₁ 602 receives(proof,2,R₂) 620 from

_(zk) ^(R) ^(DL) ; if not; it aborts. At 730, P₁ 602 computesS′=Dec_(sk)(C₂) mod q, 622 then computes S=S′·K_(ID) ⁽¹⁾ 624. At 732, P₁602 computes u=R₂ ^(r) ¹ and h=H₂(m,u). At 734, P₁ 602 verifies (h,S)626 by the identity ID, if the signature is valid, it then outputs (h,S)626, otherwise, it aborts.

Correctness. Due to C₁=Enc_(pk)(r₁), C₂=K_(ID)⁽²⁾⊗(r₂⊗C₁⊗Enc_(pk)(ρ·q+h)), R₂g^(r) ² , then P₁ can compute

u = g^(r₁r₂) $\begin{matrix}{S = {{{Dec}_{sk}\left( C_{2} \right)}{q \cdot t_{1}}Q_{1}}} \\{= {{{Dec}_{sk}\left( \left( {C_{1}^{r_{2}} + {{Enc}_{pk}\left( {{\rho \cdot q} + h} \right)}} \right)^{K_{ID}^{(2)}} \right)}{q \cdot K_{ID}^{(1)}}}} \\{= {{{Dec}_{sk}\left( {{{Enc}_{pk}\left( r_{1} \right)}^{r_{2}} + {{Enc}_{pk}\left( {{\rho \cdot q} + h} \right)}} \right)}^{K_{ID}^{(2)}}\mspace{14mu} {mod}\mspace{14mu} {q \cdot K_{ID}^{(1)}}}} \\{= {\left( {\left( {{r_{1}r_{2}} + h + {\rho \cdot q}} \right) \cdot K_{ID}^{(2)}} \right)\mspace{14mu} {mod}\mspace{14mu} {q \cdot K_{ID}^{(1)}}}} \\{= {{\left( {{r_{1}r_{2}} + h} \right) \cdot K_{ID}^{(2)}}K_{ID}^{(1)}}}\end{matrix}$

Therefore, the correctness of the proposed distributed signing protocolfor the identity-based signature scheme in the IEEE P1363 standard isproved.

Security Analysis. Security Model. Definition 2. IND-CPA Security Let

be a PPT adversary, C be a challenger. The IND-CPA security is definedby the following game with a negligible advantage.

-   -   1. C generates the key-pair (pk,sk),        obtains pk.    -   2.        outputs two messages m₀,m₁ (|m₀|=|m₁|).    -   3. C selects

${br}\overset{r}{\leftarrow}\left\{ {0,1} \right\}$

-   -    and encrypts m_(b) such that C*=Enc_(pk)(m_(b)), then returns        C* to C.    -   4.        outputs b′,        wins the game when b′=b.

Definition 3. We define an experiment

_(,π)(1^(n)), where π is a secure digital signature scheme such thatπ=(Gen, Sign, Verify).

-   -   1. (vk,sk)←Gen(1^(n)).    -   2. (m*, σ*)←        ^(sign) ^(sk) ^((·))(1^(n),vk).    -   3. Let        be the set of all m which can be queried.        can query oracle with m. Then, the experiment outputs 1 if m*∉        and Verify(m*,σ*)=1.

Definition 4. A signature scheme π is existentially unforgeable underCMA if for every probabilistic polynomial-time oracle machine

, there exists a negligible function μ such that for every n,

Pr[

_(,π)(1^(n))=1]<μ(n)

In the distributed signature generation phase, we define the experimentDist

_(,Π)(1^(n))

an adversary A who can control a party P_(b) (b∈1,2). In protocol Π, thehonest party P_(3-b) instructs a stateful oracle Π_(b)(.,.).

can choose which message needs to be signed, and can interact with partyP_(3-b). In this definition, the distributed signature generation phaseshould run after the distributed key generation phase. The oracle isqueried by two inputs: a session identifier and an input, and works asfollows:

-   -   1. Upon receiving a query (sid,m), and if the distributed key        generation phase has not been executed, then the oracle output        ⊥.    -   2. Upon receiving a query (sid,m) after the distributed key        generation phase has been executed, the oracle invokes a machine        M_(sid) which is instructed by P_(3-b) in protocol Π. M_(sid) is        initialized with key share and any stored information from KGC        in the distributed key generation phase. If P_(3-b) sends the        first message in the signing phase, then the oracle outputs this        message.    -   3. Upon receiving a query (sid,m) after the distributed key        generation phase has executed and sid has been queried, the        oracle sends the message m to M_(sid), and returns the next        message output from M_(sid). If M_(sid) finishes execution, then        it returns M_(sid)'s output.

In this experiment,

can control a party P_(b) with oracle access to Π_(b).

wins if it can forge a signature on a message m* which has not beenqueried in the oracle.

Definition 5. We define an experiment Dist

_(,Π)(1^(n)). Let π=(Gen, Sign, Verify) be a two-party signing phase.

-   -   1. (m*, σ* )←        ^((Π) ^(b) ^((.,.)))(1^(n)).    -   2. Let        be the set of all m which can be queried.        can query oracle with (sid,m). Then, the experiment outputs 1 if        m*∉        and Verify(m*, σ*)=1.

Definition 6. A protocol Π is a secure two-party protocol fordistributed signature generation for π, if for every P.P.T algorithm

and every b∈{1,2}, there exists a negligible function μ for every n,Pr[Dist

_(,Π)(1^(n))=1]≤μ(n).

Definition 7. The functionality

_(BLMQ) is combined with two functions: extraction and signing. Theextraction function can be queried only once, after the key extractionphase, the signing function can be queried an arbitrary number of times.

_(BLMQ) works with parties P₁ and P₂, and is defined as follows:

-   -   1. After receiving Extract(params,ID) from both P₁ and P₂:        -   (a)Generate a BLMQ key pair (h_(ID),K_(ID)) by computing            h_(ID)=H₁(ID), and choosing a random number

${sr}\overset{r}{\leftarrow}{Z_{p}.}$

-   -   -    Compute K_(ID)(h_(ID)+s)⁻¹Q₁. Choose a hash function            H_(q):{0,1}*→{0,1}^(└log\q\┘) and store            params,ID,H_(q),K_(ID)        -   (b) Send h_(ID) and H_(q) to both P₁ and P₂.        -   (c) Ignore future queries to Extract.

    -   2. After receiving Sign(sid,m) from both P₁ and P₂, if Extract        was queried and sid has not been used, then compute a BLMQ        signature (h,S) of the message m by follows:        -   (a) Choose a number

${r\overset{r}{\leftarrow}Z_{q}},$

-   -   -    compute u=g^(r).        -   (b) Compute h-H_(q)(m,u), and S(r+h)K_(ID).

Finally, send the signature (h,S) to both P₁ and P₂.

Definition 8. The Paillier-EC assumption is hard for every P.P.Tadversary A there exists a negligible function μ that Pr[Paillier−

(1^(n))=1]≤½+μ(n). Let G be a generator of a group G of order q. Theexperiment Paillier−

(1^(n)) is defined as follows:

-   -   1. Generate a Paillier key pair (pk,sk).    -   2. Select r₀,

$r_{1}\overset{r}{\leftarrow}Z_{q}$

and compute R=r₀·G.

-   -   3. Select b∈{0,1} and compute C=Enc_(pk)(r_(b)).    -   4. Let b′=        ^(O) ^(C) ^((.,.,.)) if Dec_(sk)(C′)=α+β·r_(b)q, O_(C)(C′, α,        β)=1    -   5. If and only if b′b, the experiment outputs 1.

Proof of Security. In this section, we prove that the protocol H is asecure two-party protocol for distributed signature generation as shownin the theorem below.

Theorem 1 If Paillier encryption is indistinguishable under CPA (chosenplaintext attack), and BLMQ signature is existentially-unforgeable undera CMA (chosen message attack), then our two-party protocol fordistributed signature generation of identity-based signature in IEEEP1363 is secure.

Proof. We now prove the security of our proposed protocol. In addition,if A can break the protocol of zero-knowledge with the probability ε,then it can break the protocol with probability ε+μ(n),μ is a negligiblefunction.

In our proof, for any adversary

that launches an attack on the protocol, we construct an adversary S whoforges a BLMQ signature in Definition Error! Reference source not found.with the probability that is negligibly close to the probability that

forging a signature in Definition.

If Paillier encryption is indistinguishable under CPA, then for everyP.P.T algorithm

and every b∈{1,2}, there exists a P.P.T algorithm S and a negligiblefunction μ such that for every n,

|Pr[Sign_(S,π)(1^(n))=1]−Pr[Dist

_(,529)(1^(n))]=11≤μ(n)  (1)

where Π denotes the protocol of Phase 2, and π denotes the BLMQsignature scheme. If we assume that BLMQ signature is secure, thereexists a negligible function μ′ for every n thatPr[Sign_(S,π)(1^(n))=1]≤μ′(n). With Equation 1, we conclude that Pr[

_(,Π)(1^(n))=1]≤μ(n)+μ′(n). We now prove Equation 1 for b=1 and b=2respectively.

When b=1 i.e., P₁ is the corrupted one, let

be a P.P.T adversary in Dist

_(,Π)(n), we construct a P.P. T adversary S for Sign_(S,π)(n). Ssimulates the execution for

as follows:

-   -   1. In Sign, S receives (1^(n),ID), where ID is the user's        identity which could generate the user's public key H₁(ID).    -   2. S invokes A on input 1^(n) and simulates oracle        in DistSign. Upon receiving a query (sid,m), where sid is a new        session identifier, S queries its signing oracle in Sign with m        and receives a signature (h,S) where S=S·Q₁. We slightly modify        the oracle that lets the signing oracle return S to the        simulator S. We let the adversary        compute t₁·Dec_(sk)(C₂). u can be computed by the BLMQ signature        verification algorithm. Then,        queries S with identifier sid. The query is processed as        follows:        -   (a) The first message (sid,m₁) is processed by parsing the            message m₁ since m₁=(prove,1,(R₁,C₁),(r₁,sk)). If R₁=g^(r) ¹            and C₁=Enc_(pk)(r₁), then S sets R₂=u^(l/r) ¹ , and sets the            oracle's reply message is (proof,2,R₂) and sends it to            . Otherwise, S simulates P₂ abortion.        -   (b) S chooses

${\rho \overset{r}{\leftarrow}Z_{q}},$

then computes C₂=Enc_(pk)(S+ρ·q)(t₁)⁻¹, where S is the value from thesignature S received from

_(BLMQ), and sets the oracle's reply message is C₂ and sends it to

.

-   -   3. Once        halts and outputs (m*,σ*), S outputs (m*,σ*) and halts.

We now prove that the equation 1 holds. In Phase 2, the view of

in the simulation of the distributed signature generation phase iscomputationally indistinguishable from its view from a real process ofPhase 2. The difference between

's view in real execution and in the simulation is C₂. In addition,because u is generated randomly by

_(BLMQ), and the distribution between u^(1/r) ¹ and g^(r) ² isidentical, so that R₂'s distribution between real execution and thesimulation is identical. The zero-knowledge proof and verification arealso identically distributed. So, the only difference is C₂. During thesimulation, it is an encryption of (S+ρ·q)(t₁)⁻¹, in real execution, itis a ciphertext of (r+ρ·q+h)·K_(ID) ⁽²⁾.

We observe that, in the definition of BLMQ signature,S=(r+h)K_(ID)=(r+h)K_(ID) ⁽¹⁾K_(ID) ⁽²⁾ mod q. Thus, (r+h)K_(ID)⁽²⁾=(t₁)⁻¹. S mod q means that there exists an integer I∈Z_(q) that(r+h)K_(ID) ⁽²⁾=(t₁)⁻¹. S+l·q. In the protocol, the operation without amodular reduction is that (r+h)K_(ID) ⁽²⁾. Therefore, the differencebetween the real execution and the simulation with S is:

1. Real: the ciphertext C₂ encrypts (t₁)⁻¹. S mod q+l·q+ρ·q

2. Simulation: the ciphertext C₂ encrypts (t₁)⁻¹. S mod q+ρ·q

It is worth pointing out that the distribution between real executionand simulation is identical. This proves that Equation 1 holds for b=1.

When b=2, i.e. P₂ is the corrupted one. The message C₂ sent by P₂ may becorrupted by

, and the simulator cannot detect whether C₂ is a correct ciphertext. Asin [Error! Reference source not found.], we let S simulates P₁ abortionat some random point, S chooses

$i\overset{r}{\leftarrow}\left\{ {1,\ldots \;,{{p(n)} + 1}} \right\}$

randomly, where p(n) is the upper bound number of queries made by

. S chooses i with the probability of

$\frac{1}{{p(n)} + 1},$

that is S simulates

's view with a probability of

$\frac{1}{{p(n)} + 1}.$

The probability of S forging a signature in Sign is at least

$\frac{1}{{p(n)} + 1}$

times of the probability that

forges a signature in DistSign.

Let

be a P.P.T adversary in Dist

_(,Π)(n), we construct a P.P.T adversary S for Sign_(S,π)(n). Theadversary S simulates the execution for A as follows:

-   -   1. In Sign, s receives (1^(n),ID), where ID is the identity to        generate the user's public key H₁(ID).    -   2. S invokes        on input 1^(n) and simulates oracle        in DistSign. Upon receiving a query (sid,m), where sid is a new        session identifier, S sets the oracle reply with (proof,1,R₁,C₁)        where R₁=u^(1/r) ² , and sends it to        . Then, S queries its signing oracle in Sign with m and receives        a signature (h,S) and S can compute u in the BLMQ signature        verification algorithm. Then,        queries S with identifier sid, which is processed as follows:        -   (a) The first message (sid,m₁) is processed by parsing m₁ as            (prove,2,R₂,r₂) which should be sent to

ℱ_(zk)^(R_(DL)).

-   -   -    S verifies the equation R₂=g^(r) ² and if the equation does            not hold, it simulates P₁ causing it to abort the protocol.        -   (b) The second message (sid,m₂) is processed by parsing m₂            as C₂. If this is the ith query by            , then S simulates P₁'s abortion. Otherwise, it continues.

    -   3. Once        halts and outputs (m*,σ*), S outputs (m*,σ*) and halts.

Let j be the first query to oracle Π with (sid,m₂), and P₁ does notobtain the valid signature (h,S) which corresponds to the public keyΠ₁(ID). If j=i, then the difference between the distribution of

's view in real execution and the simulated execution by S is theciphertext C₁. Since S does not hold the Paillier private key in thesimulation, the indistinguishability of the simulation follows from areduction of indistinguishability of the encryption scheme underChosen-Plaintext Attack (CPA).

We can learn that

 Pr  [ Sign S , π  ( 1 n ) = 1  i = j ] - Pr  [ Dist  , Π  ( 1 n) = 1 ]  + μ  ( n ) so Pr  [ Dist  , Π  ( 1 n ) = 1 ] + Pr  [ SignS , π  ( 1 n ) = 1 ] 1  /  ( p  ( n ) + 1 ) + μ  ( n ) i . e .  Pr [ Sign S , π  ( 1 n ) = 1 ] ≥ Dist  , Π  ( 1 n ) = 1 1  /  ( p ( n ) + 1 ) - μ  ( n )

It means that if

can forge a signature in Dist

_(,Π)(1^(n)) with a non-negligible probability, then S can forge asignature in Sign_(S,π).(1^(n)) with a non-negligible probability. Dueto BLMQ signature being existentially unforgeable, then our protocol issecure.

Theorem 2 If the Paillier-EC assumption is hard, then, Phase 2 computes

_(BLMQ) securely in the

_(zk), model in the presence of a malicious static adversary.

Proof. We analyze the security for the case of a corrupted P₁ and acorrupted P₂. First, let P₁ be corrupted by an adversary

, we construct a simulator S.

In the signing phase, P₁ cannot do anything. All it does is to generateu and receive a ciphertex C₂ from P₂. Due to ability to simulate theprotocol in the signing phase, a simulator can make the result equal tou in a signature received from

_(BLMQ). Therefore, the main challenge is to prove that the simulatorcan generate P₁'s view of the decryption of C₂, given only S,(h,S) from

_(BLMQ) where S=S·Q₁.

-   -   1. On input Sign(sid,m), S sends Sign(sid,m) to        _(BLMQ) and receives a signature (h,S).    -   2. S computes u using the BLMQ verification procedure.    -   3. S invokes        with input Sign(sid,m) and simulates the following messages to        ensure that the result is u:        -   (a) S receives (prove,1,(R₁,C₁),(r₁,sk)) from            .        -   (b) If R₁=g^(r) ¹ , then S sets R₂=u^(1/r) ¹ , and sends            (proof,2,R₂) to            .        -   Otherwise, S simulates P₂ abort, sends abortion to            _(BLMQ).    -   4. S chooses ρrZ_(q), then computes C₂=Enc_(pk)(S+ρ·q)(t₁)⁻¹,        where S is the value from the signature S received from        _(BLMQ), and sets the oracle reply        with C₂.

The only difference between the view of

in real and simulation is the way that C₂ is chosen. In the simulation,it is a ciphertext of (S+ρ·q)(t₁)⁻¹, in real execution, it is aciphertext of (r+ρ·q+h)·K_(ID) ⁽²⁾. It is statistically close betweenthese two scenarios.

Let P₂ be corrupted by

, and we construct a simulator S. In the signature generation phase, Sworks as follows:

-   -   1. On input Sign(sid,m), S sends Sign(sid,m) to        _(BLMQ) and receives a signature (h,S).    -   2. S computes u using the BLMQ verification procedure.    -   3. S invokes        with Sign(sid,m), sets R₁=u^(1/r) ² and sends        the message (proof,1,(R₁,C₁)) internally.    -   4. S receives (prove,2,R₂,r₂) which indicates that        intends to send to

ℱ_(zk)^(R_(DL)).

-   -   5. S verifies the equation R₂=g^(r) ² . If the equation does not        hold, then S simulates P₁ aborting.    -   6. S receives C₂ from P₂, decrypts C₂ by using sk and reduces        the result by modulo q. S checks if it is equal to (({tilde over        (r)}₁r₂+h)K_(ID) ⁽²⁾)q, where C₁=Enc_(pk)({tilde over (r)}₁) If        the equation holds, then S sends ‘continue’ to the trusted party        P₁, and lets P₁ provide the output. Otherwise, S sends ‘abort’        to P₁ to instruct P₁ to abort.

We modify S to a simulator S who have an oracle O_(c)(c′,α,β). Theoracle O_(c)(c′,α,β) outputs 1 if Dec_(sk)(c′,α,β)=α+β·{tilde over (r)}₁mod q. S′ simulates S as follows:

1. Compute α=h·K_(ID) ⁽²⁾ mod q.

2. Compute β=r₂·K_(ID) ⁽²⁾ mod q.

3. Query O_(c)(c′,α,β) to get b.

4. If b=1, S′ continues to simulate S.

S accepts if S′ accepts because these checks by S and S′ are equivalent.Due to the Paillier-EC assumption, we conclude that the output generatedby S in the ideal model is computationally indistinguishable from thereal execution. Since the output distributions of S and S are identicalin the ideal model; therefore, the output generated by S in the idealmodel is computationally indistinguishable from the real execution.

Zero-knowledge Proof. In our protocol, the main zero-knowledge proof forthe relation is R_(PDL). We use this zero-knowledge proof directly.Thus, we omit the construction here.

Proof that r is a discrete log of R. In this section, we propose theconstructions of zero-knowledge proof for the relation R_(DL) such that

R _(DL)={(G ₃ ,g,R,R,r)|R=g ^(r)}

We use Schnorr Zero Knowledge Proof to achieve this requirement. In thesigning phase, if a malicious P₂ sends (prove,R₂,r₂) to

_(zk) ^(R) ^(DL) , it also receives a correct message (proof,R₁) from

_(zk) ^(R) ^(DL) . However, P₁'s message in the protocol is assumed tobe zero knowledge and hence does not reveal any information about therandom integer r₁. The detailed zero-knowledge proof protocol isdescribed as follows:

The joint statement is (G₃,g,R), the prover has a witness r and wishesto prove that R=g^(r). When the Schnorr zero-knowledge proof generationalgorithm uses as input the public parameter P=(R,g,Q₁,Q₂,G₁,G₂,G₃),signer's identity ID, secret value r, and public value V=g^(r). Itoutputs (z,e) as follows:

1. Select

${k\overset{r}{\leftarrow}Z_{q}},$

compute K=g^(k).

2. Compute e=H(P,ID,K,V)

3. Compute z=K−re

When the Schnorr zero-knowledge proof verification algorithm uses asinput the public parameter P=(R,g,Q₁,Q₂,G₁,G₂,G₃), signer's identity ID,public value V=g^(r) and Schnorr zero-knowledge proof values(z,e). Itsoutputs are valid or invalid as follows:

1. Perform public key validation for V.

2. Let K_(v)=g^(z)V^(e).

3. Let e_(v)=H(P,ID,K_(v),V)

4. If e_(v)=e, then the signature is verified.

Performance and Experimental Results. In embodiments, the MIRACLCryptographic SDK may be used to implement embodiments of protocols. Forexample, embodiments of protocols were implemented and deployed on twoAndroid devices (Google Nexus 6 with a Quad-core, 2.7 GHz processor, 3Gbytes memory and the Google Android 7.1.2 operating system; SamsungGalaxy Nexus with a dual-core 1.2 GHz processor, 1G bytes memory and theGoogle Android 4.0 operating system) and a PC with an i7-6700 processor,8G bytes memory and the Microsoft Windows 7 operating system. As shownin FIG. 8, in this example, the two Android phones denote twoparticipants 802, 804, and the PC 806 represents the KGC.

Table 1 shows the different security levels of the curves.

TABLE 1 Security level Symmetric cipher key Bitlength of p in prime Typelength field F_(p) MNT k = 6 80 160 BN k = 12 128 256 KSS k = 18 192 512BLS k = 24 256 640

In order to evaluate the different security levels, the following curvesfrom Type-3 pairings were tested:

1. MNT k=6 curve that achieves AES-80 security.

2. BN k=12 curve that achieves AES-128 security.

3. KSS k=18 curve that achieves AES-192 security.

4. BLS k=24 curve that achieves AES-256 security.

In an embodiment, the BLMQ signature scheme was implemented on a SamsungGalaxy Nexus, and the running time of each algorithm for BLMQ signaturescheme is shown in Table 2 and FIG. 9.

TABLE 2 Each algorithm of BLMQ Signature (averages were computed over1,000 executions). KeyGen Sign Verify CurveAlgorithm (milliseconds)(milliseconds) (milliseconds) k = 6 5.83 22.16 139.94 k = 12 8.22 66.01188.61 k = 18 25.99 733.96 2738.34 k = 24 61.76 18676.92 36478.61

Progress in each instance of the distributed key generation phase wasanalyzed. Table 3 and FIG. 10 show the running times of the instancesand the verification algorithm.

TABLE 3 Distributed key generation and verification (averages werecomputed over 1,000 executions). Setup Distribute Verify CurveProgress(milliseconds) (milliseconds) (milliseconds) k = 6 145.27 567.42 122.42k = 12 145.92 1107.8 191.17 k = 18 2055.02 6211.14 2364.34 k = 2418506.28 8268.26 32116.37

The computation cost of progress in each instance in the distributedsignature phase. Table 4 and FIG. 11 show the results obtained. Step 1denotes the progress made by P₁ before P₁ sends a message to P₂, Step 2denotes the progress made by P₂, and Step 3 denotes the progress made byP₁ after receiving message from P₂. Table 5 presents the total runningtimes.

TABLE 4 Distributed signature generation (averages were computed over1,000 executions). CurveProgress Step 1 Step 2 Step 3 k = 6 146.03 ms222.43 ms 134.49 ms k = 12 198.28 ms 336.42 ms 174.83 ms k = 18 1647.47ms 2782.22 ms 1505.2 ms k = 24 18419.27 ms 35972.69 ms 17812.87 ms

TABLE 5 Distributed signature generation run time (average over 1,000executions). CurveDevice P₁ P₂ k = 6 280.52 ms 222.43 ms k = 12 373.11ms 336.42 ms k = 18 3152.67 ms 2782.22 ms k = 24 36232.14 ms 35972.69 ms

Conclusion. The ubiquity of wireless communications will continue in thefuture, ranging from autonomous vehicles to smart cities, and so on.Thus, ensuring the security of such wireless communications will becomeincreasingly important and challenging due to the increasingly complexenvironment and requirements.

In this paper, we have proposed an efficient and secure two-partydistributed signing protocol for the identity-based signature scheme inthe IEEE P1363 standard, which is designed to generate a valid signaturewithout the need to recover the private key. Both the security analysisand the performance evaluation of our proposed protocol havedemonstrated its potential to be used for the distributed signaturegeneration in the wireless environment.

An exemplary block diagram of a computing device 1200, in which entitiesand processes involved in the embodiments described herein may beimplemented, is shown in FIG. 12. Computing device 1200 may typically beimplemented using one or more programmed general-purpose computersystems, such as embedded processors, systems on a chip, personalcomputers, workstations, server systems, and minicomputers or mainframecomputers, or in distributed, networked computing environments.Computing device 1200 may include one or more processors (CPUs)1202A-1202N, input/output circuitry 1204, network adapter 1206, andmemory 1208. CPUs 1202A-1202N execute program instructions in order tocarry out the functions of the present communications systems andmethods. Typically, CPUs 1202A-1202N are one or more microprocessors,such as an INTEL CORE® processor.

FIG. 12 illustrates an embodiment in which computing device 1200 isimplemented as a single multi-processor computer system, in whichmultiple processors 1202A-1202N share system resources, such as memory1208, input/output circuitry 1204, and network adapter 1206. However,the present communications systems and methods also include embodimentsin which computing device 1200 is implemented as a plurality ofnetworked computer systems, which may be single-processor computersystems, multi-processor computer systems, or a mix thereof.

Input/output circuitry 1204 provides the capability to input data to, oroutput data from, computing device 1200. For example, input/outputcircuitry may include input devices, such as keyboards, mice, touchpads,trackballs, scanners, analog to digital converters, etc., outputdevices, such as video adapters, monitors, printers, etc., andinput/output devices, such as, modems, etc. Network adapter 1206interfaces device 1200 with a network 1210. Network 1210 may be anypublic or proprietary LAN or WAN, including, but not limited to theInternet.

Memory 1208 stores program instructions that are executed by, and datathat are used and processed by, CPU 1202 to perform the functions ofcomputing device 1200. Memory 1208 may include, for example, electronicmemory devices, such as random-access memory (RAM), read-only memory(ROM), programmable read-only memory (PROM), electrically erasableprogrammable read-only memory (EEPROM), flash memory, etc., andelectro-mechanical memory, such as magnetic disk drives, tape drives,optical disk drives, etc., which may use an integrated drive electronics(IDE) interface, or a variation or enhancement thereof, such as enhancedIDE (EIDE) or ultra-direct memory access (UDMA), or a small computersystem interface (SCSI) based interface, or a variation or enhancementthereof, such as fast-SCSI, wide-SCSI, fast and wide-SCSI, etc., orSerial Advanced Technology Attachment (SATA), or a variation orenhancement thereof, or a fiber channel-arbitrated loop (FC-AL)interface.

The contents of memory 1208 may vary depending upon the function thatcomputing device 1200 is programmed to perform. In the example shown inFIG. 12, exemplary memory contents are shown representing routines anddata for embodiments of the processes described above. However, one ofskill in the art would recognize that these routines, along with thememory contents related to those routines, may not be included on onesystem or device, but rather distributed among a plurality of systems ordevices, based on well-known engineering considerations. The presentsystems and methods may include any and all such arrangements.

In the example shown in FIG. 12, memory 1208 is shown as including bothkey generation center routines 1210 and user device routines 1212.However, in many embodiments, only one such set of routines may bepresent in the device. For example, a key generation center (KGC) may beimplemented using one or more server computer systems and may includeonly key generation center routines 1210, while a user device may be maybe implemented using a mobile device, such as a smartphone, and mayinclude only user device routines 1212.

In the example shown in FIG. 12, key generation center routines 1210 mayinclude key generation routines 1214 and signature generation routines1216, while user device routines 1212 may include key generationroutines 1218 and signature generation routines 1220. Key generationroutines 1214 may include software routines to perform the KGC portionof Phase 1 of embodiments of processes, as described above. Signaturegeneration routines 1216 may include software routines to perform theKGC portion of Phase 2 of embodiments of processes, as described above.Key generation routines 1218 may include software routines to performthe user device portion of Phase 1 of embodiments of processes, asdescribed above. Signature generation routines 1220 may include softwareroutines to perform the user device portion of Phase 2 of embodiments ofprocesses, as described above. Operating system 1222 may provide overallsystem functionalities.

As shown in FIG. 12, the present communications systems and methods mayinclude implementation on a system or systems that providemulti-processor, multi-tasking, multi-process, and/or multi-threadcomputing, as well as implementation on systems that provide only singleprocessor, single thread computing. Multi-processor computing involvesperforming computing using more than one processor. Multi-taskingcomputing involves performing computing using more than one operatingsystem task. A task is an operating system concept that refers to thecombination of a program being executed and bookkeeping information usedby the operating system. Whenever a program is executed, the operatingsystem creates a new task for it. The task is like an envelope for theprogram in that it identifies the program with a task number andattaches other bookkeeping information to it.

Many operating systems, including Linux, UNIX®, OS/2®, and Windows®, arecapable of running many tasks at the same time and are calledmultitasking operating systems. Multi-tasking is the ability of anoperating system to execute more than one executable at the same time.Each executable is running in its own address space, meaning that theexecutables have no way to share any of their memory. Thus, it isimpossible for any program to damage the execution of any of the otherprograms running on the system. However, the programs have no way toexchange any information except through the operating system (or byreading files stored on the file system).

Multi-process computing is similar to multi-tasking computing, as theterms task and process are often used interchangeably, although someoperating systems make a distinction between the two. The presentinvention may be a system, a method, and/or a computer program productat any possible technical detail level of integration. The computerprogram product may include a computer readable storage medium (ormedia) having computer readable program instructions thereon for causinga processor to carry out aspects of the present invention. The computerreadable storage medium can be a tangible device that can retain andstore instructions for use by an instruction execution device.

The computer readable storage medium may be, for example, but is notlimited to, an electronic storage device, a magnetic storage device, anoptical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing.

A computer readable storage medium, as used herein, is not to beconstrued as being transitory signals per se, such as radio waves orother freely propagating electromagnetic waves, electromagnetic wavespropagating through a waveguide or other transmission media (forexample, light pulses passing through a fiber-optic cable), orelectrical signals transmitted through a wire. Computer readable programinstructions described herein can be downloaded to respectivecomputing/processing devices from a computer readable storage medium orto an external computer or external storage device via a network, forexample, the Internet, a local area network, a wide area network and/ora wireless network. The network may comprise copper transmission cables,optical transmission fibers, wireless transmission, routers, firewalls,switches, gateway computers, and/or edge servers. A network adapter cardor network interface in each computing/processing device receivescomputer readable program instructions from the network and forwards thecomputer readable program instructions for storage in a computerreadable storage medium within the respective computing/processingdevice.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, configuration data for integrated circuitry, oreither source code or object code written in any combination of one ormore programming languages, including an object oriented programminglanguage such as Smalltalk, C++, or the like, and procedural programminglanguages, such as the “C” programming language or similar programminglanguages. The computer readable program instructions may executeentirely on the user's computer, partly on the user's computer, as astand-alone software package, partly on the user's computer and partlyon a remote computer or entirely on the remote computer or server. Inthe latter scenario, the remote computer may be connected to the user'scomputer through any type of network, including a local area network(LAN) or a wide area network (WAN), or the connection may be made to anexternal computer (for example, through the Internet using an InternetService Provider).

In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions. These computer readable programinstructions may be provided to a processor of a general purposecomputer, special purpose computer, or other programmable dataprocessing apparatus to produce a machine, such that the instructions,which execute via the processor of the computer or other programmabledata processing apparatus, create means for implementing thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

These computer readable program instructions may also be stored in acomputer readable storage medium that can direct a computer, aprogrammable data processing apparatus, and/or other devices to functionin a particular manner, such that the computer readable storage mediumhaving instructions stored therein comprises an article of manufactureincluding instructions which implement aspects of the function/actspecified in the flowchart and/or block diagram block or blocks. Thecomputer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks. The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s).

In some alternative implementations, the functions noted in the blocksmay occur out of the order noted in the Figures. For example, two blocksshown in succession may, in fact, be executed substantiallyconcurrently, or in the reverse order, depending upon the functionalityinvolved. It will also be noted that each block of the block diagramsand/or flowchart illustration, and combinations of blocks in the blockdiagrams and/or flowchart illustration, can be implemented by specialpurpose hardware-based systems that perform the specified functions oracts, or that carry out combinations of special purpose hardware andcomputer instructions. Although specific embodiments of the presentinvention have been described, it will be understood by those of skillin the art that there are other embodiments that are equivalent to thedescribed embodiments. Accordingly, it is to be understood that theinvention is not to be limited by the specific illustrated embodiments,but only by the scope of the appended claims.

From the above description, it can be seen that the present inventionprovides a system, computer program product, and method for theefficient execution of the described techniques. References in theclaims to an element in the singular is not intended to mean “one andonly” unless explicitly so stated, but rather “one or more.” Allstructural and functional equivalents to the elements of theabove-described exemplary embodiment that are currently known or latercome to be known to those of ordinary skill in the art are intended tobe encompassed by the present claims. No claim element herein is to beconstrued under the provisions of 35 U.S.C. section 112, sixthparagraph, unless the element is expressly recited using the phrase“means for” or “step for.”

While the foregoing written description of the invention enables one ofordinary skill to make and use what is considered presently to be thebest mode thereof, those of ordinary skill will understand andappreciate the existence of alternatives, adaptations, variations,combinations, and equivalents of the specific embodiment, method, andexamples herein. Those skilled in the art will appreciate that thewithin disclosures are exemplary only and that various modifications maybe made within the scope of the present invention. In addition, while aparticular feature of the teachings may have been disclosed with respectto only one of several implementations, such feature may be combinedwith one or more other features of the other implementations as may bedesired and advantageous for any given or particular function.Furthermore, to the extent that the terms “including”, “includes”,“having”, “has”, “with”, or variants thereof are used in either thedetailed description and the claims, such terms are intended to beinclusive in a manner similar to the term “comprising.”

Other embodiments of the teachings will be apparent to those skilled inthe art from consideration of the specification and practice of theteachings disclosed herein. The invention should therefore not belimited by the described embodiment, method, and examples, but by allembodiments and methods within the scope and spirit of the invention.Accordingly, the present invention is not limited to the specificembodiments as illustrated herein, but is only limited by the followingclaims.

What is claimed is:
 1. A method comprising: generating a distributedcryptographic key at a key generation center and a first other deviceand a second other device; and generating a distributed cryptographicsignature at the first other device using the second other device. 2.The method of claim 1, wherein generating the distributed cryptographickey comprises: generating, at the key generation center, a user IDprivate key based on a user ID, and a Pallier key pair comprising apublic key and a private key; transmitting the user ID private key, thePallier public key, and the Pallier secret key from the key generationcenter to the first other device; and transmitting the user ID privatekey and the Pallier public key from the key generation center to thesecond other device.
 3. The method of claim 2, wherein the generating adistributed cryptographic signature comprises: transmitting a messagefrom the first other device to a zero knowledge functionality, themessage comprising a request for proof that the second other devicepossesses the the user ID private key; and in response to receiving themessage from the first other device, transmitting a message from thezero knowledge functionality to the second other device comprising proofthat the first other device possesses the user ID private key.
 4. Themethod of claim 3, wherein the generating a distributed cryptographicsignature further comprises: in response to receiving the message fromthe zero knowledge functionality, transmitting a message from the secondother device to the zero knowledge functionality comprising a requestfor proof of a relation; and in response to receiving the message fromthe second other device, transmitting a message from the zero knowledgefunctionality comprising proof that the second other device possessesthe relation.
 5. The method of claim 4, wherein the generating adistributed cryptographic signature further comprises: in response toreceiving the message from the zero knowledge functionality,transmitting a message from the second other device to the first otherdevice comprising a challenge based on the relation; and in response toreceiving the message from the zero knowledge functionality and themessage from the second other device, computing, at the first otherdevice, a signature based on the user ID private key and on thechallenge.
 6. A system comprising: a key generation center adapted togenerate a distributed cryptographic key in communication with a firstother device; the first other device adapted to generate a distributedcryptographic signature in communication with key generation center andusing a second other device; and the second other device adapted to togenerate the distributed cryptographic signature in communication withthe first other device.
 7. The system of claim 6, wherein the keygeneration center is further adapted to generate the distributedcryptographic key by: generating a user ID private key based on a userID, and a Pallier key pair comprising a public key and a private key;transmitting the user ID private key, the Pallier public key, and thePallier secret key to the first other device; and transmitting the userID private key and the Pallier public key to the second other device. 8.The system of claim 7, wherein the first other device is further adaptedto generate the distributed cryptographic signature by transmitting amessage to a zero knowledge functionality, the message comprising arequest for proof that the second other device possesses the the user IDprivate key; and the zero knowledge functionality is adapted to, inresponse to receiving the message from the first other device, transmita message to the second other device comprising proof that the firstother device possesses the user ID private key.
 9. The system of claim8, wherein the second other device is further adapted to generate thedistributed cryptographic signature by, in response to receiving themessage from the zero knowledge functionality, transmitting a message tothe zero knowledge functionality comprising a request for proof of arelation; and the zero knowledge functionality is further adapted to, inresponse to receiving the message from the second other device,transmitting a message from the zero knowledge functionality comprisingproof that the second other device possesses the relation.
 10. Thesystem of claim 9, wherein the second other device is further adapted togenerate the distributed cryptographic signature by, in response toreceiving the message from the zero knowledge functionality,transmitting a message the first other device comprising a challengebased on the relation; and wherein the first other device is furtheradapted to generate the distributed cryptographic signature by, inresponse to receiving the message from the zero knowledge functionalityand the message from the second other device, computing a signaturebased on the user ID private key and on the challenge.
 11. A computerprogram product comprising a non-transitory computer readable storagehaving program instructions embodied therewith, the program instructionsexecutable by at least one computer system, to cause each computersystem to perform a method comprising: generating a distributedcryptographic key at a key generation center and a first other deviceand a second other device; and generating a distributed cryptographicsignature at the first other device using the second other device. 12.The computer program product of claim 11, wherein generating thedistributed cryptographic key comprises: generating, at the keygeneration center, a user ID private key based on a user ID, and aPallier key pair comprising a public key and a private key; transmittingthe user ID private key, the Pallier public key, and the Pallier secretkey from the key generation center to the first other device; andtransmitting the user ID private key and the Pallier public key from thekey generation center to the second other device.
 13. The computerprogram product of claim 12, wherein the generating a distributedcryptographic signature comprises: transmitting a message from the firstother device to a zero knowledge functionality, the message comprising arequest for proof that the second other device possesses the the user IDprivate key; and in response to receiving the message from the firstother device, transmitting a message from the zero knowledgefunctionality to the second other device comprising proof that the firstother device possesses the user ID private key.
 14. The computer programproduct of claim 13, wherein the generating a distributed cryptographicsignature further comprises: in response to receiving the message fromthe zero knowledge functionality, transmitting a message from the secondother device to the zero knowledge functionality comprising a requestfor proof of a relation; and in response to receiving the message fromthe second other device, transmitting a message from the zero knowledgefunctionality comprising proof that the second other device possessesthe relation.
 15. The computer program product of claim 14, wherein thegenerating a distributed cryptographic signature further comprises: inresponse to receiving the message from the zero knowledge functionality,transmitting a message from the second other device to the first otherdevice comprising a challenge based on the relation; and in response toreceiving the message from the zero knowledge functionality and themessage from the second other device, computing, at the first otherdevice, a signature based on the user ID private key and on thechallenge.